如何设置';安全';ASP.NET MVC网站中Cookie的标志?
我在web.config中设置了以下内容:如何设置';安全';ASP.NET MVC网站中Cookie的标志?,asp.net,asp.net-mvc,security,cookies,owasp,Asp.net,Asp.net Mvc,Security,Cookies,Owasp,我在web.config中设置了以下内容: <system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web> 给出: % Total % Received % Xferd Average Speed Time Time Time Current Dload
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Trying 194.73.98.116...
* Connected to www.mywebsite.com (111.11.11.111) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2618 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [401 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [138 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=Domain Control Validated; CN=*.mywebsite.com
* start date: 2015-07-29 13:37:38 GMT
* expire date: 2018-07-29 13:37:38 GMT
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
} [5 bytes data]
> GET /Account/Login HTTP/1.1
> Host: www.mywebsite.com
> User-Agent: curl/7.43.0
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Server: Microsoft-IIS/8.5
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: Deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'self';script-src 'self' www.google-analytics.com www.googletagmanager.com;object-src 'none';style-src 'self' fonts.googleapis.com;img-src 'self' www.google-analytics.com placehold.it placeholdit.imgix.net data:;media-src 'none';frame-src 'none';font-src 'self' fonts.gstatic.com;connect-src 'self';base-uri 'self';child-src 'none';frame-ancestors 'none';report-uri /WebResource.axd?cspReport=true
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: __RequestVerificationToken=bPWxIp8e4F4I0Jt26t5oZyvDM6059tAWSRbgc-b6Df5IMjyYFDD9fJKgRsKVjbtN3EGgtFuHcf1sTjlYSwDWgnlhSUuNW1q5yv3cGMxmEwE1; path=/; HttpOnly
< Date: Fri, 04 Dec 2015 10:03:35 GMT
< Content-Length: 12596
<
{ [12596 bytes data]
100 12596 100 12596 0 0 31101 0 --:--:-- --:--:-- --:--:-- 31101
* Connection #0 to host www.mywebsite.com left intact
%Total%接收到%x平均速度时间电流
数据加载上载总左速度
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
*正在尝试194.73.98.116。。。
*已连接到www.mywebsite.com(111.11.11.111)端口443(#0)
*ALPN,提供http/1.1
*密码选择:全部:!出口:!出口40:!出口56:!阿努尔:!低:!RC4:@强度
*TLSv1.2(OUT)、TLS标头、证书状态(22):
}[5字节数据]
*TLSv1.2(输出),TLS握手,客户端问候(1):
}[512字节数据]
*TLSv1.2(IN)、TLS握手、服务器hello(2):
{[85字节数据]
*TLSv1.2(IN),TLS握手,证书(11):
{[2618字节数据]
*TLSv1.2(IN)、TLS握手、服务器密钥交换(12):
{[401字节数据]
*TLSv1.2(IN),TLS握手,服务器完成(14):
{[4字节数据]
*TLSv1.2(输出)、TLS握手、客户端密钥交换(16):
}[138字节数据]
*TLSv1.2(OUT),TLS更改密码,客户端hello(1):
}[1字节数据]
*TLSv1.2(输出),TLS握手,完成(20):
}[16字节数据]
*TLSv1.2(IN),TLS更改密码,客户端hello(1):
{[1字节数据]
*TLSv1.2(IN),TLS握手,完成(20):
{[16字节数据]
*使用TLSv1.2/ECDHE-RSA-AES256-SHA384的SSL连接
*ALPN,服务器不同意协议
*服务器证书:
*主题:OU=域控制已验证;CN=*.mywebsite.com
*开始日期:2015-07-29 13:37:38 GMT
*到期日期:2018-07-29 13:37:38 GMT
*发行人:C=US;ST=Arizona;L=Scottsdale;O=GoDaddy.com,Inc;OU=http://certs.godaddy.com/repository/;CN=安全证书颁发机构-G2
*SSL证书验证结果:无法获取本地颁发者证书(20),仍在继续。
}[5字节数据]
>GET/Account/Login HTTP/1.1
>主持人:www.mywebsite.com
>用户代理:curl/7.43.0
>接受:*/*
>
{[5字节数据]
// This code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
{
Response.Cookies[s].Secure = true;
}
}
}
<authentication mode="Forms">
<forms ... requireSSL="true" />
</authentication>
-在您第一次收到cookie时,服务器会正确发送此类标志。因此,您可以从curl输出添加HTTP响应吗?@mehmetice:我已按要求添加了curl输出。奇怪的是,您的web.config代码对我来说很好。谢谢,我将尝试此操作。尽管我没有使用表单身份验证(或至少,未通过web.config配置),这个答案让我在ASP.NET身份验证设置代码中寻找一个类似的配置选项。CookieAuthenticationOptions
类似乎有CookieHttpOnly
和CookieSecure
属性,后者听起来很有希望。@MalikKhalil:我不同意:啊,明白了……谢谢你的建议me correct@garymcgill对于无法访问源代码的旧式系统,是否有一种方法可以在不更改代码的情况下保护它,甚至可以通过IIS设置或web.config@Moby@MalcolmSalvador是的,有一些使用重写规则的解决方案。我现在更新了我的答案,如果你还没有遇到它,希望它能有所帮助!
<authentication mode="Forms">
<forms ... requireSSL="true" />
</authentication>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Use only secure cookies" preCondition="Unsecured cookie">
<match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; secure" />
</rule>
<preConditions>
<preCondition name="Unsecured cookie">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
<add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
...
</system.webServer>